Making the ExactMetrics plugin CSP (Content Security Policy) compatible

Adding Content Security Policy HTTP header or html meta tags to your website will add another layer of security by protecting the website and it’s visitors from Cross-site scripting (XSS) attacks. Another good reference for CSP is this: https://content-security-policy.com/.

Example of a CSP HTTP header would be

<?php
add_action('send_headers', 'set_CSP_header');
add_action('login_init', 'set_CSP_header');
add_action('admin_init', 'set_CSP_header');

function set_CSP_header() {
 $CSP = "Content-Security-Policy: default-src 'none'; script-src 'self' www.google-analytics.com; connect-src 'self'; img-src 'self'; style-src 'self';";
 header($CSP);
}
?>

Currently this CSP header does not work with ExactMetrics plugin because it blocks the tracking script from loading. Website adminstrators would have to have ‘unsafe-line’ in the script-src directive to allow loading of the tracking script. Using ‘unsafe-inline’ removes most of the XSS protection that CSP is able to give.

To make ExactMetrics CSP compatible, the tracking script would have to be loaded from a separate .js file.

Are you planning on adding this feature? If yes, when? If no, what would be the challenges in making this plugin CSP compatible?

• This topic was modified 5 years, 8 months ago by kysymysteke.